



Internet Engineering Task Force                              S. Kushwaha
Internet-Draft                                        Oracle Corporation
Intended status: Standards Track                           29 April 2026
Expires: 31 October 2026


                     SCIM DID/VC Binding Extension
                  draft-kushwaha-scim-didvc-binding-00

Abstract

   This document defines an extension to the System for Cross-domain
   Identity Management (SCIM) for binding SCIM User resources to
   decentralized identity artifacts, including Decentralized Identifiers
   (DIDs) and Verifiable Credentials (VCs).  The extension introduces a
   read-only SCIM schema extension for User resources that exposes
   binding state for discovery, a new SCIM resource type named
   IdentityBinding that records auditable linkage between a SCIM user
   and one or more DIDs and credential references, and an optional SCIM
   schema extension for ServiceProviderConfig that advertises server
   capabilities for DID and VC binding.

   This specification intentionally does not define DID resolution,
   credential issuance, credential transport, or authentication flows.
   Instead, it defines how a SCIM service provider represents,
   discovers, queries, and manages binding state derived from those
   systems.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 31 October 2026.







Kushwaha                 Expires 31 October 2026                [Page 1]

Internet-Draft             SCIM DID/VC Binding                April 2026


Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     1.2.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.3.  Problem Statement . . . . . . . . . . . . . . . . . . . .   4
     1.4.  Design Goals  . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Architecture Overview . . . . . . . . . . . . . . . . . . . .   5
   3.  Data Model  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  User Extension Schema . . . . . . . . . . . . . . . . . .   5
       3.1.1.  Derivation of primaryDid  . . . . . . . . . . . . . .   7
     3.2.  IdentityBinding Resource  . . . . . . . . . . . . . . . .   8
     3.3.  Relationship Between correlationModel and
           dids.relationship . . . . . . . . . . . . . . . . . . . .  13
     3.4.  ServiceProviderConfig Extension . . . . . . . . . . . . .  14
   4.  Processing Model  . . . . . . . . . . . . . . . . . . . . . .  15
     4.1.  Creation  . . . . . . . . . . . . . . . . . . . . . . . .  15
     4.2.  Validation  . . . . . . . . . . . . . . . . . . . . . . .  16
     4.3.  State Transitions . . . . . . . . . . . . . . . . . . . .  16
       4.3.1.  Re-evaluation of Rejected Bindings  . . . . . . . . .  18
     4.4.  Deletion  . . . . . . . . . . . . . . . . . . . . . . . .  18
   5.  Query, Filtering, PATCH, and Pagination . . . . . . . . . . .  18
     5.1.  Filtering . . . . . . . . . . . . . . . . . . . . . . . .  18
     5.2.  PATCH . . . . . . . . . . . . . . . . . . . . . . . . . .  20
     5.3.  Pagination  . . . . . . . . . . . . . . . . . . . . . . .  21
   6.  Error Handling  . . . . . . . . . . . . . . . . . . . . . . .  21
   7.  Discovery and Deployment  . . . . . . . . . . . . . . . . . .  22
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  23
     8.1.  Threat Model  . . . . . . . . . . . . . . . . . . . . . .  23
     8.2.  Required Mitigations  . . . . . . . . . . . . . . . . . .  23
     8.3.  DID Control Proof Delivery  . . . . . . . . . . . . . . .  23
     8.4.  Replay Attack Mitigation  . . . . . . . . . . . . . . . .  24
     8.5.  Delegated Verifier Trust Scope  . . . . . . . . . . . . .  24
   9.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  24



Kushwaha                 Expires 31 October 2026                [Page 2]

Internet-Draft             SCIM DID/VC Binding                April 2026


   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  25
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  25
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  25
     11.2.  Informative References . . . . . . . . . . . . . . . . .  26
   Appendix A.  SCIM Schema URI Registration Templates . . . . . . .  26
     A.1.  User Extension  . . . . . . . . . . . . . . . . . . . . .  26
     A.2.  IdentityBinding . . . . . . . . . . . . . . . . . . . . .  26
     A.3.  ServiceProviderConfig Extension . . . . . . . . . . . . .  27
   Appendix B.  Examples . . . . . . . . . . . . . . . . . . . . . .  27
     B.1.  Example User Representation . . . . . . . . . . . . . . .  27
     B.2.  Example IdentityBinding Representation  . . . . . . . . .  28
     B.3.  Example ServiceProviderConfig Representation  . . . . . .  30
   Appendix C.  Discovery Examples . . . . . . . . . . . . . . . . .  30
     C.1.  Example /ResourceTypes Entry for IdentityBinding  . . . .  30
     C.2.  Example /Schemas Entry for the User Extension . . . . . .  31
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  32
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  32

1.  Introduction

   SCIM provides a standard protocol and schema model for provisioning
   and managing identities across administrative domains [RFC7643]
   [RFC7644].  SCIM supports new resource types and schema extensions,
   publishes schema metadata through Schema resources, publishes
   resource metadata through ResourceType resources, and provides
   service capability discovery through ServiceProviderConfig [RFC7643].
   DID Core defines DID documents, verification methods, and proof-
   purpose relationships, while the Verifiable Credentials Data Model
   defines issuer, holder, verifier, status, schema, and validation
   concepts for verifiable credentials [DID-CORE] [VC-DATA-MODEL-2.0].

   In many deployments, SCIM is the system of record for account
   lifecycle, while DID and VC systems are the system of record for
   decentralized identifiers and cryptographic trust.  Today that
   linkage is usually proprietary: implementers invent local attributes,
   cannot query consistently, and cannot express lifecycle events such
   as DID deactivation, key rotation, or VC revocation in an
   interoperable SCIM form.  This specification fills that gap by
   standardizing binding state, not by embedding full DID documents or
   full VC payloads.

1.1.  Requirements Language

   The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL in this
   document are to be interpreted as described in BCP 14 [RFC2119]
   [RFC8174] when, and only when, they appear in all capitals, as shown
   here.



Kushwaha                 Expires 31 October 2026                [Page 3]

Internet-Draft             SCIM DID/VC Binding                April 2026


   SCIM resource representations in this document are encoded in JSON
   [RFC8259] as required by [RFC7643].

1.2.  Scope

   This specification applies to SCIM User resources only.

   This specification defines schema and resource representations,
   discovery behavior, filtering, pagination, and PATCH expectations for
   binding resources, and lifecycle and privacy semantics for DID and VC
   bindings.

   This specification does not define DID method semantics, DID
   resolution protocols, VC issuance or presentation protocols, proof
   formats, wallet protocols, or authentication and federation
   replacement.

1.3.  Problem Statement

   A provisioning client frequently needs to answer questions such as:

   *  Which SCIM user is bound to this DID?

   *  Which users have an active workforce or employment credential from
      a trusted issuer?

   *  What is the effect of credential revocation on the provisioned
      account?

   *  Can the service provider support pairwise DIDs, credential status
      checking, and external verifier delegation?

   Base SCIM does not answer those questions in an interoperable way.

1.4.  Design Goals

   This specification has four goals:

   1.  preserve SCIM as the provisioning and lifecycle layer;

   2.  preserve DID and VC systems as the cryptographic trust layer;

   3.  minimize correlation and over-disclosure; and

   4.  define a small interoperable subset that clients and servers can
       implement consistently.





Kushwaha                 Expires 31 October 2026                [Page 4]

Internet-Draft             SCIM DID/VC Binding                April 2026


2.  Architecture Overview

   This specification uses a dual-layer model:

   *  A read-only User extension provides lightweight discoverability.

   *  A mutable IdentityBinding resource carries binding state, DID
      references, credential references, and lifecycle state.

   A SCIM service provider MAY validate DID and VC evidence itself or
   MAY delegate validation to an external verification service.  If
   validation is delegated, the wire protocol between the SCIM service
   provider and the verifier is out of scope.  The SCIM service provider
   remains responsible for exposing standards-conformant SCIM resources
   and state transitions.

   A service provider conforming to this specification MUST NOT persist
   full DID documents in SCIM resources and MUST NOT persist full VC
   payloads in SCIM resources.  A service provider SHOULD store only
   references, identifiers, validation timestamps, and normalized
   outcomes.

3.  Data Model

   This specification defines three distinct status vocabularies: per-
   DID status reflects DID document state (such as whether a DID has
   been verified or deactivated), per-credential status reflects
   verifiable credential lifecycle state (such as validity-period or
   revocation outcomes), and binding-level status reflects the composite
   lifecycle of the IdentityBinding resource itself.  These vocabularies
   are intentionally not unified.  The aggregate User.bindingState
   additionally defines the value none to indicate a user with no
   bindings (see Section 3.1), which does not appear in any resource-
   level status.

3.1.  User Extension Schema

   The schema URI for the User extension defined by this specification
   is urn:ietf:params:scim:schemas:extension:didvc:2.0:User.

   This extension is a derived, read-only projection of the user's
   decentralized identity binding state.  Clients do not create bindings
   by writing this extension; they create or modify IdentityBinding
   resources.







Kushwaha                 Expires 31 October 2026                [Page 5]

Internet-Draft             SCIM DID/VC Binding                April 2026


   +============+=======+===+===+==========+==========+===============+
   |Attribute   |Type   |MV |Req|Mutability|Values    |Description    |
   +============+=======+===+===+==========+==========+===============+
   |primaryDid  |string |no |no |readOnly  |-         |The verified   |
   |            |       |   |   |          |          |primary DID    |
   |            |       |   |   |          |          |currently      |
   |            |       |   |   |          |          |associated with|
   |            |       |   |   |          |          |the user, if   |
   |            |       |   |   |          |          |any.  Derived  |
   |            |       |   |   |          |          |from the active|
   |            |       |   |   |          |          |primary        |
   |            |       |   |   |          |          |IdentityBinding|
   |            |       |   |   |          |          |per the        |
   |            |       |   |   |          |          |algorithm in   |
   |            |       |   |   |          |          |Section 3.1.1. |
   +------------+-------+---+---+----------+----------+---------------+
   |bindingState|string |no |yes|readOnly  |none,     |Aggregate state|
   |            |       |   |   |          |pending,  |derived from   |
   |            |       |   |   |          |active,   |active bindings|
   |            |       |   |   |          |suspended,|for the user.  |
   |            |       |   |   |          |revoked,  |The value none |
   |            |       |   |   |          |rejected  |indicates the  |
   |            |       |   |   |          |          |user has no    |
   |            |       |   |   |          |          |associated     |
   |            |       |   |   |          |          |IdentityBinding|
   |            |       |   |   |          |          |resources and  |
   |            |       |   |   |          |          |does not appear|
   |            |       |   |   |          |          |in binding-    |
   |            |       |   |   |          |          |level status   |
   |            |       |   |   |          |          |vocabularies.  |
   +------------+-------+---+---+----------+----------+---------------+
   |bindingRefs |complex|yes|no |readOnly  |-         |References to  |
   |            |       |   |   |          |          |IdentityBinding|
   |            |       |   |   |          |          |resources      |
   |            |       |   |   |          |          |associated with|
   |            |       |   |   |          |          |the user.      |
   +------------+-------+---+---+----------+----------+---------------+

                    Table 1: User Extension Attributes












Kushwaha                 Expires 31 October 2026                [Page 6]

Internet-Draft             SCIM DID/VC Binding                April 2026


   +=============+=========+===+==========+==========+=================+
   |Sub-Attribute|Type     |Req|Mutability|Values    | Description     |
   +=============+=========+===+==========+==========+=================+
   |value        |string   |yes|readOnly  |-         | The SCIM id of  |
   |             |         |   |          |          | the             |
   |             |         |   |          |          | IdentityBinding |
   |             |         |   |          |          | resource.       |
   +-------------+---------+---+----------+----------+-----------------+
   |$ref         |reference|yes|readOnly  |-         | URI of the      |
   |             |         |   |          |          | IdentityBinding |
   |             |         |   |          |          | resource.       |
   +-------------+---------+---+----------+----------+-----------------+
   |display      |string   |no |readOnly  |-         | Human-readable  |
   |             |         |   |          |          | label for the   |
   |             |         |   |          |          | binding.        |
   +-------------+---------+---+----------+----------+-----------------+
   |primary      |boolean  |no |readOnly  |-         | Indicates       |
   |             |         |   |          |          | whether this    |
   |             |         |   |          |          | binding is the  |
   |             |         |   |          |          | source of       |
   |             |         |   |          |          | primaryDid.     |
   +-------------+---------+---+----------+----------+-----------------+
   |status       |string   |yes|readOnly  |pending,  | Current         |
   |             |         |   |          |active,   | lifecycle state |
   |             |         |   |          |suspended,| of the          |
   |             |         |   |          |revoked,  | referenced      |
   |             |         |   |          |rejected  | binding.        |
   +-------------+---------+---+----------+----------+-----------------+

                    Table 2: bindingRefs Sub-Attributes

   A conforming server MUST derive primaryDid, bindingState, and
   bindingRefs from IdentityBinding resources, MUST NOT allow clients to
   directly mutate this extension, MUST omit primaryDid when no verified
   primary DID exists, and MUST ensure that at most one bindingRefs
   entry has primary=true.

3.1.1.  Derivation of primaryDid

   A server MUST derive User.primaryDid using the following algorithm:

   1.  Collect all IdentityBinding resources whose user.value matches
       the target user and whose binding-level status is active.

   2.  From that set, select the binding for which
       bindingRefs.primary=true is set in the User extension projection.
       At most one such binding is permitted.




Kushwaha                 Expires 31 October 2026                [Page 7]

Internet-Draft             SCIM DID/VC Binding                April 2026


   3.  Within that binding, select the dids entry with primary=true and
       status=verified.

   4.  Set User.primaryDid to the value of that DID entry.  If no such
       entry exists, omit User.primaryDid.

   A server MUST NOT set User.primaryDid from a binding that is not in
   active status, and MUST clear User.primaryDid when the binding that
   sourced it transitions out of active status or is deleted.

   If multiple active bindings each contain a DID entry with
   primary=true, the server MUST reject creation or PATCH operations
   that would produce this ambiguous state with HTTP 400 and a SCIM
   error type of invalidValue.

3.2.  IdentityBinding Resource

   The IdentityBinding resource type uses the endpoint /IdentityBindings
   and the schema URI
   urn:ietf:params:scim:schemas:extension:didvc:2.0:IdentityBinding.

   An IdentityBinding resource represents the auditable linkage between
   one SCIM User resource and one or more DIDs, together with optional
   references to credentials whose validation influences the state of
   the binding.

   All IdentityBinding resources include the standard SCIM common
   attributes defined in Section 3.1 of [RFC7643], including id,
   externalId, and meta.  The meta.lastModified timestamp records the
   time of the most recent update to the resource representation.  The
   lastValidationAttempt attribute defined in this specification is
   distinct from meta.lastModified: it records when a validation cycle
   was last run against the DID and credential evidence, which may
   differ from when the resource itself was last written.

   +=====================+========+===+===+==========+==========+==================+
   |Attribute            |Type    |MV |Req|Mutability|Values    |Description       |
   +=====================+========+===+===+==========+==========+==================+
   |user                 |complex |no |yes|immutable |-         |Reference to the  |
   |                     |        |   |   |          |          |bound SCIM User.  |
   +---------------------+--------+---+---+----------+----------+------------------+
   |correlationModel     |string  |no |yes|immutable |pairwise, |Privacy           |
   |                     |        |   |   |          |shared,   |expectation for   |
   |                     |        |   |   |          |public    |DID reuse across  |
   |                     |        |   |   |          |          |relying parties.  |
   |                     |        |   |   |          |          |See Section 3.3   |
   |                     |        |   |   |          |          |for the           |
   |                     |        |   |   |          |          |relationship      |



Kushwaha                 Expires 31 October 2026                [Page 8]

Internet-Draft             SCIM DID/VC Binding                April 2026


   |                     |        |   |   |          |          |between this field|
   |                     |        |   |   |          |          |and per-DID       |
   |                     |        |   |   |          |          |relationship      |
   |                     |        |   |   |          |          |values.           |
   +---------------------+--------+---+---+----------+----------+------------------+
   |dids                 |complex |yes|yes|readWrite |-         |DIDs associated   |
   |                     |        |   |   |          |          |with the binding. |
   +---------------------+--------+---+---+----------+----------+------------------+
   |credentials          |complex |yes|no |readWrite |-         |Credential        |
   |                     |        |   |   |          |          |references        |
   |                     |        |   |   |          |          |associated with   |
   |                     |        |   |   |          |          |the binding.      |
   +---------------------+--------+---+---+----------+----------+------------------+
   |status               |string  |no |yes|readOnly  |pending,  |Binding lifecycle |
   |                     |        |   |   |          |active,   |state.            |
   |                     |        |   |   |          |suspended,|                  |
   |                     |        |   |   |          |revoked,  |                  |
   |                     |        |   |   |          |rejected  |                  |
   +---------------------+--------+---+---+----------+----------+------------------+
   |lastValidationAttempt|dateTime|no |no |readOnly  |-         |Timestamp of the  |
   |                     |        |   |   |          |          |most recent       |
   |                     |        |   |   |          |          |validation        |
   |                     |        |   |   |          |          |attempt,          |
   |                     |        |   |   |          |          |regardless of     |
   |                     |        |   |   |          |          |outcome.  Updated |
   |                     |        |   |   |          |          |on both successful|
   |                     |        |   |   |          |          |and failed        |
   |                     |        |   |   |          |          |validation runs.  |
   |                     |        |   |   |          |          |Distinct from     |
   |                     |        |   |   |          |          |meta.lastModified,|
   |                     |        |   |   |          |          |which reflects    |
   |                     |        |   |   |          |          |resource write    |
   |                     |        |   |   |          |          |time.             |
   +---------------------+--------+---+---+----------+----------+------------------+
   |statusReason         |string  |no |no |readOnly  |-         |Human-readable    |
   |                     |        |   |   |          |          |explanation for   |
   |                     |        |   |   |          |          |the current       |
   |                     |        |   |   |          |          |status.           |
   +---------------------+--------+---+---+----------+----------+------------------+

                    Table 3: IdentityBinding Attributes










Kushwaha                 Expires 31 October 2026                [Page 9]

Internet-Draft             SCIM DID/VC Binding                April 2026


    +===============+===========+=====+============+=================+
    | Sub-Attribute | Type      | Req | Mutability | Description     |
    +===============+===========+=====+============+=================+
    | value         | string    | yes | immutable  | The SCIM id of  |
    |               |           |     |            | the bound User. |
    +---------------+-----------+-----+------------+-----------------+
    | $ref          | reference | yes | immutable  | URI of the      |
    |               |           |     |            | bound User.     |
    +---------------+-----------+-----+------------+-----------------+
    | display       | string    | no  | readOnly   | Human-readable  |
    |               |           |     |            | display name    |
    |               |           |     |            | for the user.   |
    +---------------+-----------+-----+------------+-----------------+

                       Table 4: user Sub-Attributes

   +==================+=======+===+==========+===============+=================+
   |Sub-Attribute     |Type   |Req|Mutability|Values         |Description      |
   +==================+=======+===+==========+===============+=================+
   |value             |string |yes|readWrite |-              |DID URI.         |
   +------------------+-------+---+----------+---------------+-----------------+
   |relationship      |string |yes|readWrite |primary,       |Role of the DID  |
   |                  |       |   |          |pairwise,      |in the binding.  |
   |                  |       |   |          |delegated,     |See Section 3.3  |
   |                  |       |   |          |recovery       |for the          |
   |                  |       |   |          |               |distinction      |
   |                  |       |   |          |               |between this     |
   |                  |       |   |          |               |field and the    |
   |                  |       |   |          |               |binding-level    |
   |                  |       |   |          |               |correlationModel.|
   |                  |       |   |          |               |The value        |
   |                  |       |   |          |               |recovery         |
   |                  |       |   |          |               |designates a DID |
   |                  |       |   |          |               |that is          |
   |                  |       |   |          |               |authorized to    |
   |                  |       |   |          |               |execute key      |
   |                  |       |   |          |               |recovery         |
   |                  |       |   |          |               |operations for   |
   |                  |       |   |          |               |the primary DID  |
   |                  |       |   |          |               |of the binding,  |
   |                  |       |   |          |               |as defined by the|
   |                  |       |   |          |               |applicable DID   |
   |                  |       |   |          |               |method; its      |
   |                  |       |   |          |               |presence does not|
   |                  |       |   |          |               |affect binding-  |
   |                  |       |   |          |               |level status     |
   |                  |       |   |          |               |derivation.      |
   +------------------+-------+---+----------+---------------+-----------------+



Kushwaha                 Expires 31 October 2026               [Page 10]

Internet-Draft             SCIM DID/VC Binding                April 2026


   |verificationMethod|string |no |readWrite |-              |DID URL of the   |
   |                  |       |   |          |               |verification     |
   |                  |       |   |          |               |method used for  |
   |                  |       |   |          |               |proof evaluation.|
   +------------------+-------+---+----------+---------------+-----------------+
   |proofPurpose      |string |no |readWrite |authentication,|DID proof purpose|
   |                  |       |   |          |assertionMethod|expected for     |
   |                  |       |   |          |               |verification.    |
   +------------------+-------+---+----------+---------------+-----------------+
   |controller        |string |no |readWrite |-              |DID controller   |
   |                  |       |   |          |               |identifier when  |
   |                  |       |   |          |               |known.           |
   +------------------+-------+---+----------+---------------+-----------------+
   |primary           |boolean|no |readWrite |-              |Indicates the    |
   |                  |       |   |          |               |preferred DID for|
   |                  |       |   |          |               |the binding.     |
   +------------------+-------+---+----------+---------------+-----------------+
   |status            |string |yes|readOnly  |pending,       |Per-DID          |
   |                  |       |   |          |verified,      |validation       |
   |                  |       |   |          |deactivated    |status.  The     |
   |                  |       |   |          |               |value deactivated|
   |                  |       |   |          |               |aligns with the  |
   |                  |       |   |          |               |DID Core         |
   |                  |       |   |          |               |specification's  |
   |                  |       |   |          |               |terminal state   |
   |                  |       |   |          |               |for a DID        |
   |                  |       |   |          |               |document         |
   |                  |       |   |          |               |[DID-CORE].      |
   +------------------+-------+---+----------+---------------+-----------------+

                        Table 5: dids Sub-Attributes

   +===================+=========+===+==========+========+============+
   |Sub-Attribute      |Type     |Req|Mutability|Values  |Description |
   +===================+=========+===+==========+========+============+
   |credentialId       |string   |no |readWrite |-       |Identifier  |
   |                   |         |   |          |        |of the VC,  |
   |                   |         |   |          |        |if present. |
   +-------------------+---------+---+----------+--------+------------+
   |types              |string   |yes|readWrite |-       |VC type     |
   |                   |         |   |          |        |values      |
   |                   |         |   |          |        |relevant to |
   |                   |         |   |          |        |the binding.|
   |                   |         |   |          |        |Multi-      |
   |                   |         |   |          |        |valued.     |
   +-------------------+---------+---+----------+--------+------------+
   |issuer             |string   |yes|readWrite |-       |Issuer      |
   |                   |         |   |          |        |identifier, |



Kushwaha                 Expires 31 October 2026               [Page 11]

Internet-Draft             SCIM DID/VC Binding                April 2026


   |                   |         |   |          |        |commonly a  |
   |                   |         |   |          |        |DID or URI. |
   +-------------------+---------+---+----------+--------+------------+
   |holder             |string   |no |readWrite |-       |Holder      |
   |                   |         |   |          |        |identifier, |
   |                   |         |   |          |        |if expressed|
   |                   |         |   |          |        |by the      |
   |                   |         |   |          |        |ecosystem.  |
   |                   |         |   |          |        |Implementers|
   |                   |         |   |          |        |SHOULD omit |
   |                   |         |   |          |        |this field  |
   |                   |         |   |          |        |unless      |
   |                   |         |   |          |        |explicitly  |
   |                   |         |   |          |        |required, as|
   |                   |         |   |          |        |holder DIDs |
   |                   |         |   |          |        |can create  |
   |                   |         |   |          |        |correlation |
   |                   |         |   |          |        |risk (see   |
   |                   |         |   |          |        |Section 9). |
   +-------------------+---------+---+----------+--------+------------+
   |credentialSubjectId|string   |no |readWrite |-       |Credential  |
   |                   |         |   |          |        |subject     |
   |                   |         |   |          |        |identifier, |
   |                   |         |   |          |        |if          |
   |                   |         |   |          |        |available.  |
   |                   |         |   |          |        |Implementers|
   |                   |         |   |          |        |SHOULD omit |
   |                   |         |   |          |        |this field  |
   |                   |         |   |          |        |unless      |
   |                   |         |   |          |        |explicitly  |
   |                   |         |   |          |        |required, as|
   |                   |         |   |          |        |subject DIDs|
   |                   |         |   |          |        |can create  |
   |                   |         |   |          |        |correlation |
   |                   |         |   |          |        |risk (see   |
   |                   |         |   |          |        |Section 9). |
   +-------------------+---------+---+----------+--------+------------+
   |statusRef          |reference|no |readWrite |-       |Reference to|
   |                   |         |   |          |        |credential  |
   |                   |         |   |          |        |status      |
   |                   |         |   |          |        |information.|
   +-------------------+---------+---+----------+--------+------------+
   |schemaRef          |reference|no |readWrite |-       |Reference to|
   |                   |         |   |          |        |credential  |
   |                   |         |   |          |        |schema      |
   |                   |         |   |          |        |information.|
   +-------------------+---------+---+----------+--------+------------+
   |validFrom          |dateTime |no |readWrite |-       |Start of    |



Kushwaha                 Expires 31 October 2026               [Page 12]

Internet-Draft             SCIM DID/VC Binding                April 2026


   |                   |         |   |          |        |credential  |
   |                   |         |   |          |        |validity, if|
   |                   |         |   |          |        |known.      |
   +-------------------+---------+---+----------+--------+------------+
   |validUntil         |dateTime |no |readWrite |-       |End of      |
   |                   |         |   |          |        |credential  |
   |                   |         |   |          |        |validity, if|
   |                   |         |   |          |        |known.      |
   +-------------------+---------+---+----------+--------+------------+
   |status             |string   |yes|readOnly  |pending,|Server-     |
   |                   |         |   |          |active, |normalized  |
   |                   |         |   |          |revoked,|outcome for |
   |                   |         |   |          |expired,|the         |
   |                   |         |   |          |unknown |credential  |
   |                   |         |   |          |        |reference.  |
   +-------------------+---------+---+----------+--------+------------+

                   Table 6: credentials Sub-Attributes

   A conforming server MUST require at least one dids entry in every
   IdentityBinding, MUST permit at most one dids entry with
   primary=true, MUST require relationship=primary on any DID entry with
   primary=true, and MUST set status=pending on creation unless the
   server can validate synchronously before returning the resource.

   A conforming server MUST NOT set status=active unless at least one
   DID entry has status=verified.  The server MUST update
   User.primaryDid when the binding becomes active or inactive per the
   algorithm in Section 3.1.1, and MUST reject creation of more than one
   active IdentityBinding containing the same DID value within a single
   administrative scope (the SCIM service provider, or in multi-tenant
   deployments, a single tenant) when the binding's correlationModel is
   pairwise, regardless of which User is referenced.

3.3.  Relationship Between correlationModel and dids.relationship

   The correlationModel attribute on an IdentityBinding and the
   relationship sub-attribute on individual DID entries operate at
   different levels of abstraction and are not redundant.

   correlationModel is a binding-level declaration of the privacy
   expectation for DID reuse across relying parties.  A value of
   pairwise means the DIDs in this binding are intended for use only
   with this relying party and MUST NOT be reused at other services.  A
   value of shared means the DIDs may be shared across a defined set of
   relying parties.  A value of public means the DIDs are publicly
   shareable without restriction.




Kushwaha                 Expires 31 October 2026               [Page 13]

Internet-Draft             SCIM DID/VC Binding                April 2026


   dids.relationship describes the functional role of a specific DID
   within the binding (e.g., primary for the main authentication DID,
   delegated for a capability-delegation DID, recovery for a key-
   recovery DID).  A binding with correlationModel=pairwise may contain
   multiple DID entries with different relationship values; the
   correlation model applies to all of them collectively.

   The combination correlationModel=shared with relationship=pairwise on
   an individual DID entry is permitted when one DID in the binding is
   used only pairwise while others in the same binding are shared.

3.4.  ServiceProviderConfig Extension

   The schema URI for the ServiceProviderConfig extension defined by
   this specification is
   urn:ietf:params:scim:schemas:extension:didvc:2.0:ServiceProviderConfig.

   This extension advertises the server's DID and VC binding
   capabilities without modifying the core ServiceProviderConfig schema.

   +==========================+=======+===+===+==========+=============+===============+
   |Attribute                 |Type   |MV |Req|Mutability|Values       |Description    |
   +==========================+=======+===+===+==========+=============+===============+
   |enabled                   |boolean|no |yes|readOnly  |-            |Indicates      |
   |                          |       |   |   |          |             |whether DID/VC |
   |                          |       |   |   |          |             |binding is     |
   |                          |       |   |   |          |             |currently      |
   |                          |       |   |   |          |             |enabled for new|
   |                          |       |   |   |          |             |IdentityBinding|
   |                          |       |   |   |          |             |creation.  A   |
   |                          |       |   |   |          |             |server MAY     |
   |                          |       |   |   |          |             |deploy the     |
   |                          |       |   |   |          |             |extension      |
   |                          |       |   |   |          |             |schema while   |
   |                          |       |   |   |          |             |setting this to|
   |                          |       |   |   |          |             |false to       |
   |                          |       |   |   |          |             |indicate       |
   |                          |       |   |   |          |             |temporary      |
   |                          |       |   |   |          |             |suspension of  |
   |                          |       |   |   |          |             |new binding    |
   |                          |       |   |   |          |             |intake.        |
   +--------------------------+-------+---+---+----------+-------------+---------------+
   |verificationDelegation    |string |no |yes|readOnly  |internal,    |Whether        |
   |                          |       |   |   |          |external,    |verification is|
   |                          |       |   |   |          |mixed        |performed by   |
   |                          |       |   |   |          |             |the SCIM server|
   |                          |       |   |   |          |             |(internal), an |
   |                          |       |   |   |          |             |external       |



Kushwaha                 Expires 31 October 2026               [Page 14]

Internet-Draft             SCIM DID/VC Binding                April 2026


   |                          |       |   |   |          |             |verifier       |
   |                          |       |   |   |          |             |(external), or |
   |                          |       |   |   |          |             |both depending |
   |                          |       |   |   |          |             |on DID method  |
   |                          |       |   |   |          |             |or credential  |
   |                          |       |   |   |          |             |type (mixed).  |
   |                          |       |   |   |          |             |When mixed,    |
   |                          |       |   |   |          |             |clients SHOULD |
   |                          |       |   |   |          |             |NOT assume a   |
   |                          |       |   |   |          |             |specific       |
   |                          |       |   |   |          |             |verification   |
   |                          |       |   |   |          |             |path for any   |
   |                          |       |   |   |          |             |given DID      |
   |                          |       |   |   |          |             |method or      |
   |                          |       |   |   |          |             |credential type|
   |                          |       |   |   |          |             |without out-of-|
   |                          |       |   |   |          |             |band knowledge.|
   +--------------------------+-------+---+---+----------+-------------+---------------+
   |supportedDidMethods       |string |yes|no |readOnly  |-            |DID methods    |
   |                          |       |   |   |          |             |accepted by the|
   |                          |       |   |   |          |             |service        |
   |                          |       |   |   |          |             |provider.      |
   +--------------------------+-------+---+---+----------+-------------+---------------+
   |supportedCredentialChecks |string |yes|no |readOnly  |status,      |VC checks the  |
   |                          |       |   |   |          |schema,      |server is      |
   |                          |       |   |   |          |validity,    |capable of     |
   |                          |       |   |   |          |holderBinding|evaluating.    |
   +--------------------------+-------+---+---+----------+-------------+---------------+
   |supportedCorrelationModels|string |yes|yes|readOnly  |pairwise,    |Correlation    |
   |                          |       |   |   |          |shared,      |models         |
   |                          |       |   |   |          |public       |supported by   |
   |                          |       |   |   |          |             |the server.    |
   +--------------------------+-------+---+---+----------+-------------+---------------+

            Table 7: ServiceProviderConfig Extension Attributes

4.  Processing Model

4.1.  Creation

   A client creates a User resource using normal SCIM semantics.

   A client creates an IdentityBinding by POSTing to /IdentityBindings.
   The client MUST provide user, correlationModel, and at least one dids
   entry.  The client MAY include credentials.  The server MUST verify
   that user.value references an existing User resource and MUST return
   HTTP 400 with SCIM error type invalidValue if the reference cannot be
   resolved.



Kushwaha                 Expires 31 October 2026               [Page 15]

Internet-Draft             SCIM DID/VC Binding                April 2026


   Upon creation, the server MUST create the resource in pending status
   unless synchronous validation has already completed successfully,
   MUST record normalized validation results in per-DID and per-
   credential status fields, and MUST update the derived User extension
   when binding state changes.  The server MUST return HTTP 201 with a
   Location header pointing to the created resource.

4.2.  Validation

   This specification requires that DID control be verified before a
   binding may become active.  How a client presents DID control
   evidence to the SCIM server (e.g., via a challenge-response protocol,
   a Verifiable Presentation submitted in a related flow, or a proof in
   a request header) is out of scope for this specification.
   Implementations SHOULD consult relevant specifications such as OpenID
   for Verifiable Presentations or DIF Presentation Exchange for proof
   transport mechanisms that can be integrated with SCIM deployment.

   To validate DID control, the server or delegated verifier MUST
   resolve the DID and verify that the verification method used for
   proof checking is authorized for the appropriate proof-purpose
   relationship in the DID document [DID-CORE].  The server MUST re-
   resolve DID documents when revalidating a binding, and MUST NOT rely
   on cached DID resolution results whose age exceeds the server's
   configured revalidation window.

   To validate a credential reference, the server or delegated verifier
   MUST, where applicable, verify cryptographic integrity, evaluate
   issuer and controller consistency, evaluate validFrom and validUntil,
   evaluate credential status when status information is available, and
   evaluate credential schema when schema information is available
   [VC-DATA-MODEL-2.0].

   This specification does not define proof formats or verifier APIs.

4.3.  State Transitions

   The server MUST implement the following binding-state semantics:













Kushwaha                 Expires 31 October 2026               [Page 16]

Internet-Draft             SCIM DID/VC Binding                April 2026


     +===========+===========+======================================+
     | From      | To        | Condition                            |
     +===========+===========+======================================+
     | pending   | active    | Required DID proof and all required  |
     |           |           | credential checks succeed.           |
     +-----------+-----------+--------------------------------------+
     | pending   | suspended | Validation attempt is temporarily    |
     |           |           | inconclusive before the binding has  |
     |           |           | ever been active (e.g., DID resolver |
     |           |           | unavailable at creation time).       |
     +-----------+-----------+--------------------------------------+
     | pending   | rejected  | Validation fails conclusively before |
     |           |           | the binding has ever been active.    |
     +-----------+-----------+--------------------------------------+
     | active    | suspended | Revalidation is temporarily          |
     |           |           | inconclusive, such as unavailable    |
     |           |           | resolver or unknown credential       |
     |           |           | status.                              |
     +-----------+-----------+--------------------------------------+
     | active    | revoked   | DID deactivation, credential         |
     |           |           | revocation, or policy failure is     |
     |           |           | confirmed.                           |
     +-----------+-----------+--------------------------------------+
     | suspended | active    | Revalidation succeeds.               |
     +-----------+-----------+--------------------------------------+
     | suspended | revoked   | Negative status is later confirmed.  |
     +-----------+-----------+--------------------------------------+
     | rejected  | pending   | Client corrects DID evidence via     |
     |           |           | PATCH and requests re-evaluation     |
     |           |           | (see Section 4.3.1).                 |
     +-----------+-----------+--------------------------------------+

                    Table 8: Binding State Transitions

   Once a binding has transitioned to active, subsequent conclusive
   validation failure results in transition to revoked, not rejected.
   The rejected state applies only to bindings that never achieved
   active status.

   The revoked state is terminal.  To re-establish trust after a binding
   reaches the revoked state, a client MUST create a new IdentityBinding
   resource; a server MUST NOT transition a revoked binding back to
   pending, active, or suspended.

   A server MUST NOT treat unknown or missing validation results as
   equivalent to active.





Kushwaha                 Expires 31 October 2026               [Page 17]

Internet-Draft             SCIM DID/VC Binding                April 2026


4.3.1.  Re-evaluation of Rejected Bindings

   A client MAY request re-evaluation of a binding in the rejected state
   by submitting a SCIM PATCH request that replaces or updates one or
   more dids entries (for example, correcting an invalid
   verificationMethod, replacing an unresolvable DID value, or adding a
   new DID entry).  Upon receiving such a PATCH, the server MUST
   transition the binding to pending status and MUST initiate a new
   validation cycle.  The server MUST NOT require the client to delete
   and recreate the resource solely to trigger re-evaluation after a
   correctable rejection.

4.4.  Deletion

   A service provider implementing this specification MUST support
   DELETE for IdentityBinding resources.

   Upon successful deletion of an IdentityBinding resource, the server
   MUST remove the corresponding entry from the associated User's
   bindingRefs and MUST clear User.primaryDid if the deleted binding was
   the source of that value.  The server MUST recalculate
   User.bindingState after deletion.

   A server MAY reject deletion of a binding in active status and
   require the client to first transition it to a non-active state via
   PATCH.  If such a restriction is imposed, the server MUST document
   this behavior in its ServiceProviderConfig or deployment
   documentation.

   A server MUST return HTTP 204 on successful deletion.

5.  Query, Filtering, PATCH, and Pagination

5.1.  Filtering

   SCIM filter expressions and fully qualified attribute notation are
   defined by [RFC7644].  Filter attribute values in request URIs MUST
   be percent-encoded as required by RFC 3986; the examples in this
   section show decoded values for readability.

   A service provider implementing this specification MUST support GET
   filtering on /IdentityBindings using the eq operator for the
   following attributes:

   *  user.value

   *  dids.value




Kushwaha                 Expires 31 October 2026               [Page 18]

Internet-Draft             SCIM DID/VC Binding                April 2026


   *  dids.relationship

   *  credentials.issuer

   *  credentials.types

   *  status

   *  externalId (a common attribute defined in Section 3.1 of [RFC7643]
      and inherited by all SCIM resource types)

   A service provider implementing this specification MUST additionally
   support the co (contains) and pr (present) operators for the multi-
   valued string attributes credentials.types and dids.value.  This
   allows clients to filter by partial VC type values (e.g.,
   credentials.types co "EmploymentCredential") and to find resources
   that have at least one credential or DID present.

   A service provider implementing the User extension MUST support eq
   filtering on
   urn:ietf:params:scim:schemas:extension:didvc:2.0:User:primaryDid.

   A service provider implementing this specification MUST support the
   and logical operator in combination with the attributes above.
   Support for the or and not operators is OPTIONAL.

   GET /IdentityBindings?filter=dids.value eq "did:example:123"

        Figure 1: Example Filter by DID (values shown decoded; apply
                    percent-encoding in actual requests)

   GET /IdentityBindings?filter=status eq "active" and credentials.issuer eq "did:example:issuer:acme"

                     Figure 2: Example Combined Filter

   GET /IdentityBindings?filter=credentials.types co "EmploymentCredential"

      Figure 3: Example Filter Using co Operator on Multi-valued types

   GET /Users?filter=urn:ietf:params:scim:schemas:extension:didvc:2.0:User:primaryDid eq "did:example:123"

                Figure 4: Example User Filter by primaryDid









Kushwaha                 Expires 31 October 2026               [Page 19]

Internet-Draft             SCIM DID/VC Binding                April 2026


5.2.  PATCH

   A service provider implementing IdentityBinding MUST support SCIM
   PATCH as defined by [RFC7644].  PATCH request bodies MUST conform to
   the PatchOp message format defined in Section 3.5.2 of [RFC7644],
   which requires the schemas member and an Operations array wrapping
   all individual operation objects.

   Clients SHOULD target explicit paths.

   A server MUST return HTTP 400 with a SCIM error type of mutability
   when a PATCH attempts to modify an attribute declared as immutable
   (such as user or correlationModel) or readOnly (such as status or
   lastValidationAttempt).

   {
     "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations": [
       {
         "op": "replace",
         "path": "dids[value eq \"did:example:123\"].primary",
         "value": true
       }
     ]
   }

             Figure 5: Example PATCH to Set a Primary DID Flag

   {
     "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations": [
       {
         "op": "replace",
         "path": "credentials[issuer eq \"did:example:issuer:acme\"].schemaRef",
         "value": "https://issuer.example/schemas/employment-v1"
       }
     ]
   }

      Figure 6: Example PATCH to Update a Credential Schema Reference











Kushwaha                 Expires 31 October 2026               [Page 20]

Internet-Draft             SCIM DID/VC Binding                April 2026


   {
     "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations": [
       {
         "op": "replace",
         "path": "dids[value eq \"did:example:old\"].verificationMethod",
         "value": "did:example:abc123#key-2"
       }
     ]
   }

          Figure 7: Example PATCH to Correct a DID and Trigger Re-
                      evaluation of a Rejected Binding

5.3.  Pagination

   List operations for IdentityBinding resources MUST support SCIM list
   pagination as defined by [RFC7644].  A service provider MAY
   additionally support cursor-based pagination as defined by [RFC9865].

6.  Error Handling

   A conforming server MUST return SCIM error responses as defined in
   Section 3.12 of [RFC7644] for all error conditions.  The following
   table enumerates error conditions specific to this specification.


























Kushwaha                 Expires 31 October 2026               [Page 21]

Internet-Draft             SCIM DID/VC Binding                April 2026


      +====================================+========+==============+
      | Condition                          | HTTP   | SCIM         |
      |                                    | Status | scimType     |
      +====================================+========+==============+
      | user.value references a non-       | 400    | invalidValue |
      | existent User                      |        |              |
      +------------------------------------+--------+--------------+
      | Request includes more than one     | 400    | invalidValue |
      | dids entry with primary=true       |        |              |
      +------------------------------------+--------+--------------+
      | A dids entry has primary=true but  | 400    | invalidValue |
      | relationship is not primary        |        |              |
      +------------------------------------+--------+--------------+
      | Creation of a pairwise binding     | 409    | uniqueness   |
      | with a DID already used in another |        |              |
      | active pairwise binding within the |        |              |
      | same administrative scope          |        |              |
      +------------------------------------+--------+--------------+
      | PATCH attempts to modify an        | 400    | mutability   |
      | immutable attribute (user,         |        |              |
      | correlationModel)                  |        |              |
      +------------------------------------+--------+--------------+
      | PATCH attempts to modify a         | 400    | mutability   |
      | readOnly attribute (status,        |        |              |
      | lastValidationAttempt)             |        |              |
      +------------------------------------+--------+--------------+
      | Multiple active bindings with      | 400    | invalidValue |
      | primary=true would result from the |        |              |
      | operation                          |        |              |
      +------------------------------------+--------+--------------+
      | DELETE attempted on an active      | 409    | -            |
      | binding when the server requires   |        |              |
      | non-active status first            |        |              |
      +------------------------------------+--------+--------------+

                Table 9: Binding-Specific Error Conditions

7.  Discovery and Deployment

   A service provider implementing this specification MUST publish the
   User extension schema via /Schemas, MUST publish the IdentityBinding
   schema via /Schemas, MUST publish the IdentityBinding resource type
   via /ResourceTypes, and SHOULD publish the ServiceProviderConfig
   extension when supported.  Examples of the expected /Schemas and
   /ResourceTypes entries are provided in Appendix C.






Kushwaha                 Expires 31 October 2026               [Page 22]

Internet-Draft             SCIM DID/VC Binding                April 2026


   A SCIM client unaware of this specification will continue to
   interoperate with base User provisioning because unknown schema
   extensions and unknown resource types are discoverable rather than
   mandatory for unrelated operations.

8.  Security Considerations

8.1.  Threat Model

   Relevant attackers include a client that attempts to bind a DID it
   does not control, a client that replays stale credentials or proofs,
   an attacker exploiting DID key rotation or deactivation lag, an
   attacker inducing false correlation by reusing identifiers across
   relying parties, a malicious or unexpected issuer, and a compromised
   or confused delegated verifier.

8.2.  Required Mitigations

   A conforming implementation MUST evaluate DID proof authorization
   against the relevant DID verification relationship at verification
   time, MUST re-resolve DID information when revalidating a binding
   after key rotation or deactivation events are possible, MUST treat
   credential status as a verifier-side check when status information is
   available, MUST integrity-protect communication with any delegated
   verifier and authenticate that verifier, MUST apply normal SCIM
   authorization controls to IdentityBinding resources, and MUST NOT
   treat unverified bindings as equivalent to active verified bindings.

8.3.  DID Control Proof Delivery

   This specification requires that a SCIM server verify DID control
   before activating a binding, but the mechanism by which a client
   presents DID control evidence is intentionally out of scope.
   Implementers are responsible for defining or adopting a proof
   transport mechanism appropriate for their deployment.  Relevant
   existing specifications include OpenID for Verifiable Presentations
   (OID4VP) and the DIF Presentation Exchange specification.  The SCIM
   service provider MUST document the proof delivery mechanism it
   accepts as part of its deployment documentation.

   Regardless of the mechanism chosen, a server MUST NOT accept a DID
   control proof that was generated for a different relying party,
   binding resource, or session.  Servers SHOULD require proof
   presentations to include a challenge or nonce issued by the server to
   prevent replay of previously valid proofs.






Kushwaha                 Expires 31 October 2026               [Page 23]

Internet-Draft             SCIM DID/VC Binding                April 2026


8.4.  Replay Attack Mitigation

   A server SHOULD issue a fresh, single-use nonce or challenge when
   initiating a DID control proof exchange and MUST reject proof
   presentations that do not bind to the current challenge.  Similarly,
   credential validation results MUST be treated as bound to a specific
   validation timestamp and MUST NOT be replayed from a prior successful
   validation to satisfy a new validation request.

8.5.  Delegated Verifier Trust Scope

   When a SCIM service provider delegates DID or VC validation to an
   external verifier, the verifier becomes a critical trust anchor for
   the entire binding model.  A compromised or misconfigured delegated
   verifier that returns status=verified for any DID can activate
   bindings without genuine cryptographic proof of control.
   Implementations MUST scope the trust granted to a delegated verifier
   to the minimum necessary (e.g., specific DID methods or credential
   types), MUST authenticate the verifier at the transport layer, and
   SHOULD audit verifier responses for anomalies such as bulk activation
   of previously-pending bindings.

9.  Privacy Considerations

   DID Core warns that globally unambiguous identifiers create
   correlation risk and recommends pairwise DIDs where correlation is
   not desired.  DID Core also warns that even pairwise DIDs can be re-
   correlated if DID documents reuse identical verification methods or
   correlating service endpoints.  VC Data Model 2.0 separately warns
   about identifier-based, signature-based, and metadata-based
   correlation and recommends selective disclosure or unlinkable
   disclosure when strong anti-correlation properties are needed
   [DID-CORE] [VC-DATA-MODEL-2.0].

   Accordingly, an implementation conforming to this specification
   SHOULD prefer correlationModel=pairwise unless public reuse is
   intentionally desired, MUST NOT require storage of full VC payloads
   for routine SCIM provisioning behavior, SHOULD store only references
   and normalized validation outcomes, SHOULD avoid exposing DID values
   to clients that do not need them, SHOULD support privacy-preserving
   credential ecosystems that use selective disclosure or unlinkable
   disclosure, and SHOULD ensure that pairwise bindings do not
   accidentally reuse correlating DID material within the same
   administrative domain.

   The credentials.holder and credentials.credentialSubjectId sub-
   attributes, while optional, present a specific privacy risk: both
   typically contain DID URIs that directly identify the subject, and



Kushwaha                 Expires 31 October 2026               [Page 24]

Internet-Draft             SCIM DID/VC Binding                April 2026


   storing them in a SCIM resource makes the SCIM server itself a
   correlation point linking subject DIDs to SCIM account identifiers.
   This partially defeats the anti-correlation goals of pairwise DID
   usage.  Implementations SHOULD omit these fields unless there is a
   specific operational requirement for them, and SHOULD apply
   appropriate access controls to limit which clients can read them when
   they are stored.

   Even with pairwise DIDs and minimal storage, the SCIM service
   provider itself becomes a correlation point because it holds the
   mapping between all of a user's pairwise DIDs and their single SCIM
   account identifier.  Access to IdentityBinding resources MUST be
   restricted to authorized clients, and implementations SHOULD apply
   data-minimization principles to SCIM query responses (e.g., using
   SCIM attribute projection via the attributes or excludedAttributes
   query parameters).

10.  IANA Considerations

   This document requests registration of the following URIs in the
   "System for Cross-domain Identity Management (SCIM) Schema URIs"
   registry defined by [RFC7643]:

   *  urn:ietf:params:scim:schemas:extension:didvc:2.0:User

   *  urn:ietf:params:scim:schemas:extension:didvc:2.0:IdentityBinding

   *  urn:ietf:params:scim:schemas:extension:didvc:2.0:ServiceProviderConfig

   The registration templates appear in Appendix A.

11.  References

11.1.  Normative References

   [DID-CORE] World Wide Web Consortium, "Decentralized Identifiers
              (DIDs) v1.0", W3C Recommendation did-1.0, 19 July 2022,
              <https://www.w3.org/TR/did-1.0/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7643]  Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
              Mortimore, "System for Cross-domain Identity Management:
              Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
              2015, <https://www.rfc-editor.org/info/rfc7643>.



Kushwaha                 Expires 31 October 2026               [Page 25]

Internet-Draft             SCIM DID/VC Binding                April 2026


   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <https://www.rfc-editor.org/info/rfc7644>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

   [VC-DATA-MODEL-2.0]
              World Wide Web Consortium, "Verifiable Credentials Data
              Model v2.0", W3C Recommendation vc-data-model-2.0, 15 May
              2025, <https://www.w3.org/TR/vc-data-model-2.0/>.

11.2.  Informative References

   [RFC9865]  Peterson, M., Ed., Zollner, D., and A. Sehgal, "Cursor-
              Based Pagination of System of Cross-domain Identity
              Management (SCIM) Resources", RFC 9865,
              DOI 10.17487/RFC9865, October 2025,
              <https://www.rfc-editor.org/info/rfc9865>.

Appendix A.  SCIM Schema URI Registration Templates

A.1.  User Extension

   Schema URI: urn:ietf:params:scim:schemas:extension:didvc:2.0:User

   Schema Name: DID and VC User Extension

   Intended or Associated Resource Type: User

   Purpose: Read-only discovery of DID and VC binding state for a SCIM
   user.

   Single-value Attributes: primaryDid, bindingState.

   Multi-valued Attributes: bindingRefs.

A.2.  IdentityBinding

   Schema URI:
   urn:ietf:params:scim:schemas:extension:didvc:2.0:IdentityBinding



Kushwaha                 Expires 31 October 2026               [Page 26]

Internet-Draft             SCIM DID/VC Binding                April 2026


   Schema Name: IdentityBinding

   Intended or Associated Resource Type: IdentityBinding

   Purpose: Mutable binding resource linking a SCIM User to one or more
   DIDs and optional credential references.

   Single-value Attributes: user, correlationModel, status,
   lastValidationAttempt, and statusReason.

   Multi-valued Attributes: dids and credentials.

A.3.  ServiceProviderConfig Extension

   Schema URI:
   urn:ietf:params:scim:schemas:extension:didvc:2.0:ServiceProviderConfig

   Schema Name: DID and VC ServiceProviderConfig Extension

   Intended or Associated Resource Type: ServiceProviderConfig

   Purpose: Capability discovery for DID and VC binding support.

   Single-value Attributes: enabled and verificationDelegation.

   Multi-valued Attributes: supportedDidMethods,
   supportedCredentialChecks, and supportedCorrelationModels.

Appendix B.  Examples

B.1.  Example User Representation




















Kushwaha                 Expires 31 October 2026               [Page 27]

Internet-Draft             SCIM DID/VC Binding                April 2026


   {
     "schemas": [
       "urn:ietf:params:scim:schemas:core:2.0:User",
       "urn:ietf:params:scim:schemas:extension:didvc:2.0:User"
     ],
     "id": "2819c223-7f76-453a-919d-413861904646",
     "userName": "alice@example.com",
     "name": {
       "givenName": "Alice",
       "familyName": "Ng"
     },
     "urn:ietf:params:scim:schemas:extension:didvc:2.0:User": {
       "primaryDid": "did:example:abc123",
       "bindingState": "active",
       "bindingRefs": [
         {
           "value": "c3a801b0-0b28-4c9c-a7fb-9964a6d916c1",
           "$ref": "/IdentityBindings/c3a801b0-0b28-4c9c-a7fb-9964a6d916c1",
           "display": "Primary workforce binding",
           "primary": true,
           "status": "active"
         }
       ]
     }
   }

                                  Figure 8

B.2.  Example IdentityBinding Representation






















Kushwaha                 Expires 31 October 2026               [Page 28]

Internet-Draft             SCIM DID/VC Binding                April 2026


   {
     "schemas": [
       "urn:ietf:params:scim:schemas:extension:didvc:2.0:IdentityBinding"
     ],
     "id": "c3a801b0-0b28-4c9c-a7fb-9964a6d916c1",
     "meta": {
       "resourceType": "IdentityBinding",
       "created": "2026-04-20T09:00:00Z",
       "lastModified": "2026-04-21T14:37:00Z",
       "location": "/IdentityBindings/c3a801b0-0b28-4c9c-a7fb-9964a6d916c1",
       "version": "W/\"3694e05afa83191e\""
     },
     "user": {
       "value": "2819c223-7f76-453a-919d-413861904646",
       "$ref": "/Users/2819c223-7f76-453a-919d-413861904646",
       "display": "Alice Ng"
     },
     "correlationModel": "pairwise",
     "dids": [
       {
         "value": "did:example:abc123",
         "relationship": "primary",
         "verificationMethod": "did:example:abc123#key-1",
         "proofPurpose": "authentication",
         "controller": "did:example:abc123",
         "primary": true,
         "status": "verified"
       }
     ],
     "credentials": [
       {
         "credentialId": "urn:uuid:4dd2dc49-9c0f-43f8-b96e-4f4d1f578a2d",
         "types": ["VerifiableCredential", "EmploymentCredential"],
         "issuer": "did:example:issuer:acme",
         "statusRef": "https://issuer.example/status/94567",
         "schemaRef": "https://issuer.example/schema/employment-v1",
         "validFrom": "2026-04-01T00:00:00Z",
         "validUntil": "2027-04-01T00:00:00Z",
         "status": "active"
       }
     ],
     "status": "active",
     "lastValidationAttempt": "2026-04-21T14:37:00Z",
     "statusReason": "DID control and required credential checks succeeded"
   }

                                  Figure 9




Kushwaha                 Expires 31 October 2026               [Page 29]

Internet-Draft             SCIM DID/VC Binding                April 2026


B.3.  Example ServiceProviderConfig Representation

   {
     "schemas": [
       "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
       "urn:ietf:params:scim:schemas:extension:didvc:2.0:ServiceProviderConfig"
     ],
     "patch": { "supported": true },
     "filter": { "supported": true, "maxResults": 200 },
     "sort": { "supported": false },
     "etag": { "supported": true },
     "urn:ietf:params:scim:schemas:extension:didvc:2.0:ServiceProviderConfig": {
       "enabled": true,
       "verificationDelegation": "mixed",
       "supportedDidMethods": ["did:web", "did:key", "did:example"],
       "supportedCredentialChecks": ["status", "schema", "validity", "holderBinding"],
       "supportedCorrelationModels": ["pairwise", "shared", "public"]
     }
   }

                                 Figure 10

Appendix C.  Discovery Examples

C.1.  Example /ResourceTypes Entry for IdentityBinding

   The following illustrates the ResourceType entry a conforming server
   MUST publish at /ResourceTypes for the IdentityBinding resource.

   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
     "id": "IdentityBinding",
     "name": "IdentityBinding",
     "endpoint": "/IdentityBindings",
     "description": "Auditable linkage between a SCIM User and one or more DIDs and credential references.",
     "schema": "urn:ietf:params:scim:schemas:extension:didvc:2.0:IdentityBinding",
     "meta": {
       "resourceType": "ResourceType",
       "location": "/ResourceTypes/IdentityBinding"
     }
   }

                                 Figure 11








Kushwaha                 Expires 31 October 2026               [Page 30]

Internet-Draft             SCIM DID/VC Binding                April 2026


C.2.  Example /Schemas Entry for the User Extension

   The following illustrates the Schema entry a conforming server MUST
   publish at /Schemas for the User extension defined by this
   specification.  The entry for the IdentityBinding schema and the
   ServiceProviderConfig extension schema follow the same pattern.

   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
     "id": "urn:ietf:params:scim:schemas:extension:didvc:2.0:User",
     "name": "DID and VC User Extension",
     "description": "Read-only discovery of DID and VC binding state for a SCIM user.",
     "attributes": [
       {
         "name": "primaryDid",
         "type": "string",
         "multiValued": false,
         "required": false,
         "mutability": "readOnly",
         "returned": "default"
       },
       {
         "name": "bindingState",
         "type": "string",
         "multiValued": false,
         "required": true,
         "canonicalValues": ["none", "pending", "active", "suspended", "revoked", "rejected"],
         "mutability": "readOnly",
         "returned": "default"
       },
       {
         "name": "bindingRefs",
         "type": "complex",
         "multiValued": true,
         "required": false,
         "mutability": "readOnly",
         "returned": "default",
         "subAttributes": [
           { "name": "value", "type": "string", "required": true, "mutability": "readOnly" },
           { "name": "$ref", "type": "reference", "required": true, "mutability": "readOnly" },
           { "name": "display", "type": "string", "required": false, "mutability": "readOnly" },
           { "name": "primary", "type": "boolean", "required": false, "mutability": "readOnly" },
           {
             "name": "status",
             "type": "string",
             "required": true,
             "canonicalValues": ["pending", "active", "suspended", "revoked", "rejected"],
             "mutability": "readOnly"



Kushwaha                 Expires 31 October 2026               [Page 31]

Internet-Draft             SCIM DID/VC Binding                April 2026


           }
         ]
       }
     ],
     "meta": {
       "resourceType": "Schema",
       "location": "/Schemas/urn:ietf:params:scim:schemas:extension:didvc:2.0:User"
     }
   }

                                 Figure 12

Acknowledgments

   The author thanks contributors and reviewers whose feedback will be
   acknowledged in future revisions of this document.

Author's Address

   Saurabh Kushwaha
   Oracle Corporation
   Pleasanton, CA
   United States of America
   Email: saurabh.kushwaha@oracle.com



























Kushwaha                 Expires 31 October 2026               [Page 32]
